home

desktop.exe

Desktop

Super Web LLC

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application desktop.exe by Super Web has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Web Desktop’.
Publisher:
Microsoft  (signed by Super Web LLC)

Product:
Desktop

Version:
1.0.0.0

MD5:
99cb5fa727bca627edebba5fc3dbb781

SHA-1:
e79b92df41d6ef86132c2e956dff452ac75a4684

SHA-256:
a6e002a7fc7076abef894dce5811538156523f4437451687849d4c23e1e669a6

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/26/2024 7:56:31 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.SuperWeb.H
14.9.6.23

File size:
38.8 KB (39,720 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Microsoft 2013

Original file name:
desktop.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\web layers\desktop.exe

Digital Signature
Signed by:
Super Web LLC

Authority:
VeriSign, Inc.

Valid from:
12/13/2012 7:00:00 PM

Valid to:
12/14/2013 6:59:59 PM

Subject:
CN=Super Web LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Super Web LLC, L=Los Angeles, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4119CF85506B9920A6B0FFA138C96637

File PE Metadata
Compilation timestamp:
7/18/2013 9:02:14 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:sO8Nnn6BT6RuwlMdlKxFf2JdX0Lt1eysMRL+OKLBx6J2XX:sRNnn6GRuwlMdlKLf2JdYlnRL+OKLBxl

Entry address:
0x979E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00...
 
[+]

Entropy:
5.9749

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
30 KB (30,720 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Web Desktop

Command:
C:\Program Files\web layers\desktop.exe


Remove desktop.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.